Book: Password Authentication for Web and Mobile Apps

Password Authentication for Web and Mobile Apps is a new book for web and mobile developers who want to learn how secure password authentication works and implement it in their apps.

It answers almost all questions that developers have about password authentication, such as how to store passwords securely, how to remember users, how to implement multi-factor authentication, etc.

Some other topics that it covers:

  • Email address validation.
  • Unicode issues in usernames, emails, and passwords.
  • Secure randomness and UUIDs.
  • U2F / WebAuthn.
  • JWT and signed cookies.
  • Five password hashing functions — PBKDF2, bcrypt, scrypt, yescrypt, Argon2 — and their issues and vulnerabilities.
  • Client-side password prehashing.
  • Rate limiting.
  • and more…

The book is available at https://dchest.com/authbook/

SSL certificate chain resolver

When you purchase an SSL certificate from a certificate authority, in most cases it is signed not by the root certificate of this authority, but by an intermediate certificate(s). The path from your certificate through those intermediates and up to the root is called a certificate chain. While browsers can resolve those chains by downloading certificates from sources specified in them, the whole chain except for the root cert is better to be included in the response your server sends during TLS connection.

Continue reading SSL certificate chain resolver

Gogs: setting up self-hosted GitHub clone

Forget scripto-Perlo-C porridge to setup web interface for Git! Forget installing thousands of dependencies to setup your own repository hosting! Gogs is here to make your life easier!

Gogs is a GitHub clone written in Go, which you can host on your own server. It’s a web interface to Git repositories plus a simple bug tracker. Gogs is very easy to install and use.

Continue reading Gogs: setting up self-hosted GitHub clone